[3.5] curl: write-out out of buffer read (CVE-2017-7407)
There were two bugs in curl’s parser for the command line option
—write-out (or -w for short) that would skip the end of string zero
byte
if the string ended in a % (percent) or \ (backslash), and it would
read beyond that buffer in the heap memory and it could then
potentially
output pieces of that memory to the terminal or the target file etc.
Affected versions:
6.5 to and including 7.53.1
Not affected versions:
< 6.5 and >= 7.54.0
References:
https://curl.haxx.se/docs/security.html
Patch:
https://curl.haxx.se/CVE-2017-7407.patch
(from redmine: issue id 7134, created on 2017-04-13, closed on 2017-04-25)
- Relations:
- parent #7132 (closed)
- Changesets:
- Revision 39696e7a on 2017-04-25T11:58:58Z:
main/curl: security fixes #7174,#7134 (CVE-2017-7468, CVE-2017-7407)